---

Caldera Advisory: rsync supplementary groups

____________________________________________________________________________

                Caldera International, Inc.  Security Advisory

Subject:                Linux: rsync supplementary groups vulnerability
Advisory number:        CSSA-2002-014.0
Issue date:             2002, April 03
Cross reference:
____________________________________________________________________________


1. Problem Description

        Supplementary groups to which the rsync daemon belongs (such as
        root) were not removed from the server process before it performed
        work as an unprivileged uid and gid. The rsync daemon was also
        compiled with a vulnerable version of the zlib library. This
        package corrects both these issues.


2. Vulnerable Supported Versions

        System                          Package
        -----------------------------------------------------------

        OpenLinux 3.1.1 Server          prior to rsync-2.5.0-5.i386.rpm/
                                        prior to rsync-2.5.0-5.src.rpm/

        OpenLinux 3.1.1 Workstation     prior to rsync-2.5.0-5.i386.rpm/
                                        prior to rsync-2.5.0-5.src.rpm/


3. Solution

        The proper solution is to install the latest packages.

4. OpenLinux 3.1.1 Server

        4.1 Package Location

        ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1.1/Server/current/RPMS

        2c8f978df12dabf073361c86f7012210        rsync-2.5.0-5.i386.rpm/

        4.2 Installation

        Install the packages with the following sequence:
                
                rpm -Fvh  
                        rsync-2.5.0-5.i386.rpm/
                
        4.3 Source Package Location

        ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1.1/Server/current/SRPMS

        bffd618c0ad88252b35c33ac821253ad        rsync-2.5.0-5.src.rpm/


5. OpenLinux 3.1.1 Workstation

        5.1 Package Location

        ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1.1/Workstation/current/RPMS

        2c8f978df12dabf073361c86f7012210        rsync-2.5.0-5.i386.rpm/

        5.2 Installation

        Install the packages with the following sequence:
                
                rpm -Fvh 
                        rsync-2.5.0-5.i386.rpm/
                
        5.3 Source Package Location

        ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1.1/Workstation/current/SRPMS

        bffd618c0ad88252b35c33ac821253ad        rsync-2.5.0-5.src.rpm/


6. References

        Specific references for this advisory:
                none


        Caldera OpenLinux security resources:
                http://www.caldera.com/support/security/index.html

        Caldera UNIX security resources:
                http://stage.caldera.com/support/security/

        This security fix closes Caldera incidents sr862089, fz520415,
        and erg711995.


7. Disclaimer

        Caldera International, Inc. is not responsible for the misuse
        of any of the information we provide on this website and/or
        through our security advisories. Our advisories are a service
        to our customers intended to promote secure installation and
        use of Caldera products.


8. Acknowledgements

        Ethan Benson discovered and researched this vulnerability.

____________________________________________________________________________


--pf9I7BMVVzbSWLtt
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (SCO_SV)
Comment: For info see http://www.gnupg.org

iEYEARECAAYFAjyrmgoACgkQbluZssSXDTEVcQCg9uiPgzgfPvPXkxJwm1HOXfd5
LAAAn1SreMOXu8Dur7Du2Fg/Z53yyTqr
=hkLL
-----END PGP SIGNATURE-----

--pf9I7BMVVzbSWLtt--


Get the Free Newsletter!

Subscribe to Developer Insider for top news, trends, & analysis